[{"data":1,"prerenderedAt":509},["ShallowReactive",2],{"navigation":3,"/security/compliance":145,"/security/compliance-surround":504},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":94,"body":147,"description":497,"extension":498,"links":499,"meta":500,"navigation":501,"path":95,"seo":502,"stem":96,"__hash__":503},"docs/4.security/1.compliance.md",{"type":148,"value":149,"toc":486},"minimark",[150,154,158,163,171,187,191,229,233,236,311,315,318,323,348,354,358,361,421,428,432,435,479],[151,152,94],"h1",{"id":153},"compliance",[155,156,157],"p",{},"OpenApe is regulation-ready by design. One architecture satisfies both sides of the Atlantic.",[159,160,162],"h2",{"id":161},"eu-nis2-directive-20222555","EU: NIS2 (Directive 2022/2555)",[155,164,165,166,170],{},"NIS2 requires ",[167,168,169],"strong",{},"strong authentication"," for critical systems. OpenApe delivers this without opt-in:",[172,173,174,181,184],"ul",{},[175,176,177,180],"li",{},[167,178,179],{},"Passkeys"," fulfill the strong authentication requirement (possession + biometrics/PIN)",[175,182,183],{},"No extra MFA step — it's built into the login flow",[175,185,186],{},"Agent authentication via Ed25519 challenge-response meets M2M standards for critical infrastructure",[159,188,190],{"id":189},"usa-nist-csf-20-executive-order-14028","USA: NIST CSF 2.0 & Executive Order 14028",[172,192,193,199,205,211],{},[175,194,195,198],{},[167,196,197],{},"NIST Cybersecurity Framework 2.0"," — Passkeys + asymmetric auth satisfy Identity & Access Management controls",[175,200,201,204],{},[167,202,203],{},"Executive Order 14028"," — requires MFA and Zero Trust for federal agencies and their suppliers",[175,206,207,210],{},[167,208,209],{},"SEC Cyber Rules"," (2023) — incident reporting aided by clean audit trails (human/agent separation)",[175,212,213,216,217,221,222,221,225,228],{},[167,214,215],{},"CMMC 2.0"," — tiered security levels naturally mapped by the grant system (",[218,219,220],"code",{},"once","/",[218,223,224],{},"timed",[218,226,227],{},"always",")",[159,230,232],{"id":231},"why-passkeys-only","Why Passkeys-Only?",[155,234,235],{},"Passwords are explicitly prohibited in the DDISA spec. Here's what this eliminates:",[237,238,239,255],"table",{},[240,241,242],"thead",{},[243,244,245,249,252],"tr",{},[246,247,248],"th",{},"Attack Vector",[246,250,251],{},"With Passwords",[246,253,254],{},"With Passkeys",[256,257,258,270,281,291,302],"tbody",{},[243,259,260,264,267],{},[261,262,263],"td",{},"Phishing redirect",[261,265,266],{},"⚠️ Main risk",[261,268,269],{},"✅ Eliminated (origin-bound)",[243,271,272,275,278],{},[261,273,274],{},"Credential theft",[261,276,277],{},"⚠️ Possible",[261,279,280],{},"✅ Eliminated (nothing to steal)",[243,282,283,286,288],{},[261,284,285],{},"Man-in-the-Middle",[261,287,277],{},[261,289,290],{},"✅ Eliminated (challenge-response)",[243,292,293,296,299],{},[261,294,295],{},"Credential stuffing",[261,297,298],{},"⚠️ Common",[261,300,301],{},"✅ Eliminated (no passwords)",[243,303,304,307,309],{},[261,305,306],{},"Brute force",[261,308,277],{},[261,310,301],{},[159,312,314],{"id":313},"compromised-sp-analysis","Compromised SP Analysis",[155,316,317],{},"What can a compromised Service Provider actually do?",[155,319,320],{},[167,321,322],{},"With Passkeys (current):",[172,324,325,328,331,338,345],{},[175,326,327],{},"✅ Cannot steal credentials (phishing-proof)",[175,329,330],{},"✅ Cannot impersonate users at the IdP",[175,332,333,334,337],{},"✅ Cannot use assertions for other SPs (",[218,335,336],{},"aud"," binding)",[175,339,340,341,344],{},"⚠️ Can see claims (email, ",[218,342,343],{},"act",") of users who log in — accepted, unclosable surface",[175,346,347],{},"⚠️ Can hijack sessions on its own service",[155,349,350,353],{},[167,351,352],{},"A compromised SP becomes a passive observer, not an active attacker."," This is a fundamental security improvement over password-based systems.",[159,355,357],{"id":356},"agent-authentication-nis2","Agent Authentication & NIS2",[155,359,360],{},"Agents authenticate via Ed25519 challenge-response, not passwords or passkeys:",[237,362,363,375],{},[240,364,365],{},[243,366,367,369,372],{},[246,368],{},[246,370,371],{},"Human (Passkey)",[246,373,374],{},"Agent (Ed25519)",[256,376,377,388,399,410],{},[243,378,379,382,385],{},[261,380,381],{},"Factor 1",[261,383,384],{},"Possession (device)",[261,386,387],{},"Possession (private key)",[243,389,390,393,396],{},[261,391,392],{},"Factor 2",[261,394,395],{},"Biometrics/PIN",[261,397,398],{},"N/A — agents don't have fingers",[243,400,401,404,407],{},[261,402,403],{},"Phishing risk",[261,405,406],{},"Eliminated (origin-bound)",[261,408,409],{},"N/A (no browser)",[243,411,412,415,418],{},[261,413,414],{},"Replay protection",[261,416,417],{},"WebAuthn challenge",[261,419,420],{},"One-time challenge",[155,422,423,424,427],{},"NIS2 requires strong auth for ",[167,425,426],{},"humans",". For M2M, asymmetric challenge-response is the gold standard.",[159,429,431],{"id":430},"audit-trail","Audit Trail",[155,433,434],{},"Every action is traceable:",[172,436,437,454,470],{},[175,438,439,442,443,446,447,449,450,453],{},[167,440,441],{},"AuthN-JWT"," — ",[218,444,445],{},"sub"," (who), ",[218,448,343],{}," (human/agent), ",[218,451,452],{},"iss"," (which IdP)",[175,455,456,442,459,462,463,466,467],{},[167,457,458],{},"AuthZ-JWT",[218,460,461],{},"decided_by"," (who approved), ",[218,464,465],{},"permissions",", ",[218,468,469],{},"cmd_hash",[175,471,472,478],{},[167,473,474,477],{},[475,476,65],"a",{"href":66}," audit log"," — JSONL with command, grant ID, timestamp, result",[155,480,481,482,485],{},"For audit log formats and monitoring recommendations, see the ",[475,483,484],{"href":143},"Monitoring Guide",".",{"title":487,"searchDepth":488,"depth":489,"links":490},"",3,2,[491,492,493,494,495,496],{"id":161,"depth":489,"text":162},{"id":189,"depth":489,"text":190},{"id":231,"depth":489,"text":232},{"id":313,"depth":489,"text":314},{"id":356,"depth":489,"text":357},{"id":430,"depth":489,"text":431},"NIS2, NIST CSF 2.0, and regulatory compliance.","md",null,{},true,{"title":94,"description":497},"ToO0cxxvS1sbpJsSNBCTzj-dWnpbSecENhTMGTeZ7Hg",[505,507],{"title":85,"path":86,"stem":87,"description":506,"children":-1},"Add OpenApe login to any Nuxt app in minutes.",{"title":98,"path":99,"stem":100,"description":508,"children":-1},"Security analysis and design decisions.",1774221116104]